FBI Busts Mayor For Hacking Recall Website

New Jersey mayor and son arrested and accused of targeting website and email account associated with a campaign to recall the mayor.

The FBI last week arrested the mayor of the northern New Jersey town of West New York (population 50,000), together with his son, on charges of hacking into a website--and a related email account--that called for the mayor's recall.

The men behind the alleged hack attack--Felix Roque, 55, and Joseph Roque, 22--have been charged with gaining unauthorized access, causing damage to protected computers, and conspiracy to commit those crimes. If convicted of all charges, they each face up to 11 years in prison and fines of up to $750,000.

As first quipped by Mashable.com, the alleged attacks give new meaning to the term "political hack."

The allegedly hacked website, www.recallroque.com, was created in early February 2012 by an anonymous public official who lives in Hudson County, N.J., who's referred to in court documents as "Victim 1." The now-defunct recall campaign website, which was hosted by GoDaddy.com, offered pointed commentary and criticism of Mayor Roque and his administration.

The mayor apparently decided to retaliate. "On February 6, 2012, Mayor Roque and his son, Joseph Roque, schemed to hack into and take down the website and to identify, intimidate, and harass those who operated and were associated with the website," read court documents. Prosecutors accused Joseph Roque of first emailing the recall site's owner to arrange an in-person meeting. When that failed, he searched Google for "hacking a GoDaddy Site," "recallroque log-in," and "html hacking tutorial," according to court documents, and ultimately was able to redirect all of the website traffic to Weebly, a service provider located in California, and store a copy of the data there.

"By the late afternoon of February 8, 2012, Joseph Roque had successfully hacked into various online accounts used in connection with the recall website. Joseph Roque then used that access to disable the website. Mayor Roque harassed and attempted to intimidate several individuals whom he had learned were associated with the recall website," read the court documents.

"Mayor Roque stated that he, the Mayor, had a friend in high levels of government who had shut the Recall Website down," read the complaint. According to Victim 1, Mayor Roque stated that "everyone would pay for getting involved against him." Roque also claimed to have obtained the information about the site's owner via a friend at the CIA.

Officials have accused the men of a "violation of public trust" for attacking other people's right to free speech. "The elected leader of West New York and his son allegedly hacked into computers to intimidate constituents who were simply using the Internet to exercise their Constitutional rights to criticize the government," said U.S. Attorney Paul J. Fishman, in a statement. "We will continue to investigate and prosecute those who illegally hack into computers and disable websites with the goal of suppressing the exercise of that right."

The FBI also suggested that its cyber-crime investigation capabilities could have been put to better use. "It's incredibly disappointing that resources have to be diverted from protecting the U.S. against cyber intrusions targeting critical infrastructure, federally funded research, and military technology to address a public official intruding into computer systems to further a political agenda," said FBI Special Agent in Charge Michael B. Ward, in a statement.

Given that these allegations were leveled over a recall website, might the alleged hack attack now also lead to Roque's removal as mayor before his elected term expires on April 30, 2014? Reached by phone, a town public affairs official said she had no comment on the matter. The mayor's office, meanwhile, didn't immediately return a phone call requesting comment.

Mayor Roque, however, told law enforcement personnel during a March 2012 interview that he had nothing to do with any hacking attacks. "Mayor Roque denied directing his son ... to take down the Recall Website or to hack into it. Mayor Roque further stated that if his son did something wrong, he [Joseph] should go to jail, and that if he [Mayor Roque] did something wrong he [Mayor Roque] should go to jail as well," said FBI special agent Ignace Ertilus in a court filing. "Mayor Roque stated, among other things, that he would be fine if he had to go to jail because he was set financially and had 'lived the dream,' and would not have a problem with serving time in jail because he would work out and read while there."

Hacktivist and cybercriminal threats concern IT teams most, our first Federal Government Cybersecurity Survey reveals. Here's how they're fighting back. Also in the new, all-digital Top Federal IT Threats issue of InformationWeek Government: Why federal efforts to cut IT costs don't go far enough, and how the State Department is enhancing security. (Free registration required.)

Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.

A vulnerability in DB Manager version 3.0.1.0 and previous and PerformA version 3.0.0.0 and previous allows an authorized user with access to a privileged account on a BD Kiestra system (Kiestra TLA, Kiestra WCA, and InoqulA+ specimen processor) to issue SQL commands, which may result in data corrup...

A vulnerability in ReadA version 1.1.0.2 and previous allows an authorized user with access to a privileged account on a BD Kiestra system (Kiestra TLA, Kiestra WCA, and InoqulA+ specimen processor) to issue SQL commands, which may result in loss or corruption of data.

Stored cross-site scripting (XSS) vulnerability in the &quot;Site Name&quot; field found in the &quot;site&quot; tab under configurations in ClipperCMS 1.3.3 allows remote attackers to inject arbitrary web script or HTML via a crafted site name to the manager/processors/save_settings.processor.php f...

In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.

Some Huawei smart phones with the versions before Berlin-L21HNC185B381; the versions before Prague-AL00AC00B223; the versions before Prague-AL00BC00B223; the versions before Prague-AL00CC00B223; the versions before Prague-L31C432B208; the versions before Prague-TL00AC01B223; the versions before Prag...